Advanced smart card options on Mac
Smart card configuration settings
You can view and edit specific smart card configuration settings and logs on a Mac computer by using the command line for the following options:
List tokens available in the system.
pluginkit -m -p com.apple.ctk-tokens
com.apple.CryptoTokenKit.setoken(1.0)
com.apple.CryptoTokenKit.pivtoken(1.0)
Enable, disable or list disabled smart card tokens.
sudo security smartcards token [-l] [-e token] [-d token]
Unpair the smart card.
sudo sc_auth unpair -u jappleeed
Display available smart cards.
sudo security list-smartcards
Export items from a smart card.
sudo security export-smartcard
Smart card logging.
sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool true
Disable built-in PIV tokens.
sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken
In addition to using the command line, the following options can also be managed using the Smart Card payload. For more information, see the Smart Card MDM payload settings.
Suppress prompt to pair on token insertion.
sudo defaults write /Library/Preferences/com.apple.security.smartcard UserPairing -bool false
Limit user account pairing to a single smart card.
sudo defaults write /Library/Preferences/com.apple.security.smartcard oneCardPerUser -bool true
Disable smart card user for login and authorization.
sudo defaults write /Library/Preferences/com.apple.security.smartcard allowSmartCard -bool false
Note: When disabling allowSmartCard, smart card certificates identities can still be used for other operations such as signing and encryption and in supported third-party apps.
Manage smart card certificate trust behavior.
sudo defaults write /Library/Preferences/com.apple.security.smartcard checkCertificateTrust -int <value>
The value can be one of the following:
0: Smart card certificate trust isn’t required.
1: Smart card certificate and chain must be trusted.
2: Certificate and chain must be trusted and not receive a revoked status.
3: Certificate and chain must be trusted and revocation status is returned valid.
Certificate pinning
It’s possible to specify which Certificate Issuing Authorities are used for the trust evaluation of smart card certificates. This trust, which works in conjunction with Certificate Trust settings (1, 2, or 3 required), is known as certificate pinning. Place SHA-256 fingerprints of Certificate Authorities (as string values, comma delimited, and without spaces) in an array named TrustedAuthorities
. Use the example /private/etc/SmartcardLogin.plist file below as guidance. When certificate pinning is used, only SmartCard certificates issued by Certificate Authorities in this list are evaluated as trusted. Note that the TrustedAuthorities
array is ignored when the checkCertificateTrust
setting is set to 0 (off). Verify that the ownership is “root” and permissions are set to “world read” after editing.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AttributeMapping</key>
<dict>
<key>dsAttributeString</key>
<string>dsAttrTypeStandard:AltSecurityIdentities</string>
<key>fields</key>
<array>
<string>NT Principal Name</string>
</array>
<key>formatString</key>
<string>Kerberos:$1</string>
</dict>
<key>TrustedAuthorities</key>
<array>
<string>SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2</string>
</array>
</dict>
</plist>